In an effort to improve national security and appease consumer concerns over data privacy, China recently adopted a significant new digital privacy law, set to go into effect later this fall. Effective Nov. 1, the country will adopt the Personal Information Protection Law (PIPL), which, due to its wide-ranging nature, is likely to be highly influential on the data protection policies in other countries as well.
The law was officially passed on Aug. 20, following three rounds of revisions, in which the policy evolved substantially. The policy provides Chinese citizens with a large degree of data privacy and is quite likely to make the country a global in data protection — Protocol’s Shen Lu notes that the PIPL is indicative of the country’s “ambitions to set international norms in data protection.”
“This Law is formulated, on the basis of the Constitution, in order to protect personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information,” reads an English-language translation of Article 1 of the PIPL.
The law resembles the European Union’s General Data Protection Regulation (GDPR), however it has a bit more emphasis on China’s national security than the GDPR. Both the PIPL and the GDPR came about as a response to demand from grassroots movements calling for increased personal information protections, according to Protocol.
China has adopted other data processing laws in the past, however the PIPL is the first law to regulate the processing of Chinese residents’ data in other countries. Though it’s normal for data protection legislation to include provisions dealing with extra-territorial data processing, some pundits believe the Chinese law is a bit harsher than is normal, due to its emphasis on national security. The PIPL allows the Chinese government to restrict data transfers to other countries if it deems such transfers to be harmful for national security, a concept which China defines more broadly than other countries, according to Protocol.
Additionally, critical information infrastructure operators (this includes groups such as government and financial entities) or entities that process large amounts of personal information are also required to store this information within Mainland China, rather than overseas. “Large amounts” of personal information are not defined in the final draft of the law, however previous versions of the law defined it as data on 500,000 and 1,000,000 residents of China. In order to transfer this information abroad to another entity, the transfer must be cleared by cybersecurity agencies.